Install and configure Microsoft Defender for EDR Integration

  • 릴리스 버전: Australia
  • 업데이트 날짜 2026년 03월 12일
  • 소요 시간: 5분

    • Install and configure the Microsoft Defender for EDR integration from the ServiceNow Store.

    시작하기 전에

    Role required: sn_sec_tisc.admin

    • Threat Intelligence Security Center application must be installed and activated from ServiceNow store.
    • Obtain the API Tenant ID, Client ID, and Client Secret from Microsoft Defender for EDR console.

    프로시저

    1. Download the Microsoft Defender for EDR integration from the ServiceNow Store and install it.
    2. Using your instance, access Threat Intelligence Security Center.
    3. Download the integration from the ServiceNow Store.
    4. Select Integrations > Security Tools > EDR.
    5. Click Configure new source tool integration.
    6. Select Microsoft Defender for EDR option.
    7. Click Select.
    8. On the form, fill in the following fields.
      표 1. Configure Microsoft Defender for EDR integration
      Field Description
      Name Name for the new security tool integration configuration. For example, Microsoft Defender for EDR integration.
      Integration Category Option that displays the integration category.
      Vendor Name Name of the vendor. The details of the selected vendor is populated by default.
      Integration Type Option that displays the integration type.
      Description Enter the description for the new security tool integration configuration.
      Integration Configuration
      Base URL The base URL is the Microsoft Defender for EDR API base URL. The default value is https://api.securitycenter.microsoft.com/.
      Tenant ID The tenant ID that you obtained from Microsoft Defender.
      Client ID The client ID that you obtained from Microsoft Defender.
      Client Secret The client secret key that you obtained from Microsoft Defender.
      Prefilled title(used during submission) The prefilled title defines the default title used during submission of observables to Microsoft Defender.

      These details are displayed by default, so you don’t need to re-enter them each time you during submission to EDR.
      Prefilled description(used during submission) The prefilled description defines the default title used during submission of observables to Microsoft Defender.

      These details are displayed by default, so you don’t need to re-enter them each time you during submission to EDR.
      Expiration period in days for any type of observables The expiry period in days that are applied for observable(s) when they are sent to Microsoft Defender EDR.
      주:
      This option is a fall back expiration period when the expiration time is not set for any specific observable type.
      Expiration period in days for IP type of observables The expiry period in days that are applied for the IP type of observable when they are sent to Microsoft Defender EDR.
      Expiration period in days for Domain type of observables The expiry period in days that are applied for the domain type of observable when they are sent to Microsoft Defender EDR.
      Expiration period in days for Hash type of observables The expiry period in days that are applied for the Hash type of observable when they are sent to Microsoft Defender EDR.
    9. Click Save after adding the necessary configuration information.
    10. Click Enable to enable the configuration, after you save the new Microsoft Defender EDR integration.
      A confirmation message is displayed that the enrichment integration is enabled successfully.

    결과

    After the integration is configured, you can select any type of observable that supports Microsoft Defender EDR from Threat Intel Library, you can then send observables to EDR. For more information, see Send observables to EDR.